Enabling HTTPS on a WordPress website

More and more websites are installing an SSL certificate and converting to HTTPS (secure http). Traditionally e-commerce websites enforce HTTPS on their logged in and checkout pages, however there is a movement supported by big firms like Google, Microsoft, Mozilla to encourage webmasters to convert their websites to HTTPS only. With this in mind, Spiral Hosting are making it easier than ever to secure your website with HTTPS. We have introduced a new AutoSSL feature on all our shared hosting, enterprise hosting and reseller hosting plans. The AutoSSL feature is enabled by default so our hosting clients can enforce HTTPS on their websites.

Whether you use the 90-day AutoSSL provided with your web hosting or you use one of the big brand certificates we sell from Comodo, GeoTrust or GlobalSign, you can easily update your WordPress website to run using HTTPS.

Step 1 - Is there an active SSL certificate on your website?

Spiral Hosting recommend all websites use 100% HTTPS, meaning SSL security encryption on every page of your website. To help you achieve this, we sell 1 year or 2 year certificates from leading SSL providers (Sectigo/Comodo, GeoTrust, or GlobalSign) and since Feb 2017 we also provide our free AutoSSL service, which is a free certificate automatically installed on every domain name hosted with us.

To check SSL coverage, login to your cPanel control panel and navigate to the "SSL/TLS Status" page. This will list all your domain names, including addon domains and sub-domains, and they should all have protection. You can click "Run AutoSSL" and the system will re-check SSL coverage (this takes 10 minutes to run). 

You can also do a thorough check of an SSL certificate using this online tool: https://comodo.ssllabs.com/

Our paid certificates are issued by "Comodo", "GeoTrust" or "GlobalSign", and the free AutoSSL certificate is issued by "cPanel Inc".

If the SSL certificate has been issued by "Cloudflare Inc" you'll need to activate SSL via your Cloudflare dashboard. Login via your cPanel control panel or cloudflare.com, then find the SSL option, and change it from Off/Flexible to "Full SSL".

Step 2 - Update the Site URL values under General > Settings in your WordPress admin dashboard.

WordPress Site URL

Make sure these two URL values begin with https and not http!

Step 3 - Use an .htaccess file to force redirect all HTTP requests to HTTPS.

Simply add the following 3 lines to your .htaccess file:

RewriteEngine On 
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$ https://www.exampledomain.com/$1 [R,L]

This code is pretty simple. It instructs the web server to redirect any visitor accessing the website on port 80 (HTTP) to the website address prefixed with https://

If you do not have an .htaccess file, simply create one in the main directory of your website. The main directory is normally called public_html unless you are working with a sub-domain or addon domain, which will have its own directory.

Don't forget to replace exampledomain.com in our code with your actual domain name!

Step 4 - Force WordPress admin pages to use SSL.

Open the wp-config.php file and add the following 1 line of code:

define('FORCE_SSL_ADMIN', true);

The wp-config.php file is found in your main website directory (normally public_html).

Step 5 - Check your website for any non HTTPS content

Your website should now be running on 100% HTTPS, but if any part of your website theme or plugins use non-HTTPS images, stylesheets or other content, it will cause a warning on most web browsers. We recommend typing your website address into the site scanner at https://www.whynopadlock.com/

If the site scanner finds any "mixed content" on your website, you have two options. You can manually go through the images/content and update the relevant code to use HTTPS instead of HTTP, or you can use a WordPress plugin to force the content to be delivered over HTTPS. For example, a plugin called Really Simple SSL.

If the site scanner continues to give warnings, we recommend discussing the issue with your website developer.